IS3: Network security - Universitetet i Bergen
Download
Report
Transcript IS3: Network security - Universitetet i Bergen
IC3-2: Network security
Part 1 - A general overview of
network security
Outline
> Network Topologies
> Network Addressing
> LANs
> MANs
> WANs
Ethernet
> IEEE 802.3, technology originated from
Xerox Corp.
> Data packaged into frames
> Network Interface Card (NIC)
> CSMA/CD
> Carrier Sense
> Multiple Access
> Collision Detection
Network Cabling
> Cabling
> Thick Ethernet – 10BASE-5
> Thin Ethernet – 10BASE-2
> Shielded & Unshielded Twisted Pair (STP,
UTP) – 10BASE-T (Cat 3) 100BASE-T (Cat
5)
> Fibre Optic – Gigabit Ethernet
> Wireless LAN
> TCP/IP Layer 1
Cabling in OSI Protocol Stack
7 Application
6 Presentation
5 Session
4 Transport
3 Network
2 DataLink
1 Physical
Cabling
Cabling Issues
> Physical Environment
> Trunking
> Network Closets
> Risers
> Physical Environment - Issues
>
>
>
>
>
>
Single or multi-occupancy
Access Control to floor building
Network passes through public areas
Network infrastructure easily accessible
Network infrastructure shares facilities
Electromagnetic environment
Thin Ethernet
> Short overall cable runs.
> Vulnerability: information broadcast to all
devices.
> Threat: Information Leakage, Illegitimate Use
> Vulnerability: One cable fault disables network
> Threat: Denial of Service
> Easy to install & attach additional devices
> Vulnerability: Anyone can plug into hub.
> Threat: Illegitimate Use.
> Rarely seen now.
Thin Ethernet
UTP and Hub
> Cable between hub and device is a single
entity
> Only connectors are at the cable ends
> Additional devices can only be added at the
hub
> Disconnection/cable break rarely affects other
devices
> Easy to install
UTP
hub
10/100BASE-T
Other Layer 1 options
> Fibre Optic
>
>
>
>
Cable between hub and device is a single entity
Tapping or altering the cable is difficult
Installation is more difficult
Much higher speeds
> Wireless LAN
> Popular where building restrictions apply.
> Several disadvantages
> Radio signals are subject to interference, interception,
and alteration.
> Difficult to restrict to building perimeter.
> Security must be built in from initial network design.
Hubs
> Data is broadcast to everyone on the hub
> Vulnerability: information broadcast to all devices.
> Threat: Information Leakage, Illegitimate Use
> Vulnerability: Anyone can plug into hub.
> Threat: Illegitimate Use.
> TCP/IP Layer 1
> Intelligent Hubs
> Signal regeneration.
> Traffic monitoring.
> Can be configured remotely.
Hubs in OSI Protocol Stack
7 Application
6 Presentation
5 Session
4 Transport
3 Network
2 DataLink
1 Physical
Cabling, Hubs
Ethernet Addressing
> Address of Network Interface Card
> Unique 48 bit value
> first 24 bits indicate vendor .
> For example, 00:E0:81:10:19:FC
> 00:E0:81 indicates Tyan Corporation
> 10:19:FC indicates 1,055,228th NIC
> Media Access Control (MAC) address
IP Addressing
> IP address is 32 bits long
> Usually expressed as 4 octets separated by
dots
> 62.49.67.170
> RFC 1918 specifies reserved addresses for use
on private networks.
> 10.0.0.0 to 10.255.255.255
> 172.16.0.0 to 172.31.255.255
> 192.168.0.0 to 192.168.255.255
> Many large ranges assigned
> 13.x.x.x Xerox, 18.x.x.x MIT, 54.x.x.x Merck
IP address to Ethernet address
> Address Resolution Protocol (ARP)
> Layer 3 protocol
> Maps IP address to MAC address
> ARP Query
> Who has 192.168.0.40? Tell 192.168.0.20
> ARP Reply
> 192.168.0.40 is at 00:0e:81:10:19:FC
> ARP caches for speed
> Records previous ARP replies
> Entries are aged and eventually discarded
ARP Query & ARP Reply
Web Browser
IP 192.168.0.20
MAC 00:0e:81:10:17:D1
Web Server
IP 192.168.0.40
MAC 00:0e:81:10:19:FC
(2) ARP Reply
192.168.0.40 is at
00:0e:81:10:19:FC
(1) ARP Query
Who has
192.168.0.40?
hub
10/100BASE-T
Switches
> Switches only send data to the intended
receiver.
> Builds an index of which device has
which MAC address.
Device
MAC address
1
00:0e:81:10:19:FC
2
00:0e:81:32:96:af
3
00:0e:81:31:2f:d7
4
00:0e:81:97:03:05
8
00:0e:81:10:17:d1
switch
10/100BASE-T
Switch Operation
> When a frame arrives at switch
> Switch looks up destination MAC address in
index.
> Sends the frame to the device in the index
that owns that MAC address.
> Switches are often intelligent:
> Traffic monitoring, remotely configurable.
> Switches operate at Layer 2.
Switches in OSI Protocol Stack
7 Application
6 Presentation
5 Session
4 Transport
3 Network
2 DataLink
Switches
1 Physical
Cabling,Hubs
ARP Vulnerability
> ARP spoofing
> Masquerade threat
> Gratuitous ARP
> ARP replies have no proof of origin
> A malicious device can claim any MAC
address
> Enables all fundamental threats
Before ARP spoofing
IP 192.168.0.20
MAC 00:0e:81:10:17:d1
IP address
MAC address
192.168.0.40 00:0e:81:10:19:FC
192.168.0.1
00:1f:42:12:04:72
IP 192.168.0.40
MAC 00:0e:81:10:19:FC
IP address
MAC address
192.168.0.20 00:0e:81:10:17:d1
192.168.0.1
00:1f:42:12:04:72
Attacker
IP 192.168.0.1
MAC 00:1f:42:12:04:72
switch
After ARP spoofing
IP 192.168.0.20
MAC 00:0e:81:10:17:d1
IP address
MAC address
192.168.0.40 00:1f:42:12:04:72
192.168.0.1
00:1f:42:12:04:72
Attacker
IP 192.168.0.1
MAC 00:1f:42:12:04:72
IP 192.168.0.40
MAC 00:0e:81:10:19:FC
IP address
MAC address
192.168.0.20 00:1f:42:12:04:72
192.168.0.1
00:1f:42:12:04:72
switch
(1) Gratuitious ARP
192.168.0.40 is at
00:1f:42:12:04:72
(2) Gratuitious ARP
192.168.0.20 is at
00:1f:42:12:04:72
Effect of ARP spoofing
IP 192.168.0.20
MAC 00:0e:81:10:17:d1
IP address
IP datagram
Dest: 192.168.0.40
MAC: 00:1f:42:12:04:72
MAC address
192.168.0.40 00:1f:42:12:04:72
192.168.0.1
00:1f:42:12:04:72
Attacker
IP 192.168.0.1
MAC 00:1f:42:12:04:72
IP 192.168.0.40
MAC 00:0e:81:10:19:FC
IP address
MAC address
192.168.0.20 00:1f:42:12:04:72
192.168.0.1
00:1f:42:12:04:72
switch
Attackers relay index
IP address
MAC address
192.168.0.40 00:0e:81:10:19:FC
192.168.0.20 00:0e:81:10:17:d1
Switch Vulnerability
> MAC Flooding
> Malicious device connected to switch
> Sends multiple Gratuitous ARPs
> Each ARP claims a different MAC address
> When index fills, some switches revert to
hub behaviour
Device
MAC address
1
1
00:0e:81:10:19:FC
2
4
00:0e:81:32:96:af
3
4
00:0e:81:32:96:b0
4
4
00:0e:81:32:96:b1
…
…
4
00:0e:81:32:97:a4
9999
switch
Safeguards?
> Physically secure the switch
> Switches should failsafe when flooded
> Threat: Denial of Service
> Arpwatch: monitors MAC to IP address
mappings
> Switch port locking of MAC addresses
> Prevents ARP spoofing
> Reduces flexibility
IP Routers
> Routers support indirect delivery of ip
datagrams.
> Employing routing tables.
> Information about possible destinations and
how to reach them.
> Three possible actions for a datagram
> Sent directly to destination host.
> Sent to next router on way to known
destination.
> Sent to default router.
> IP Routers operate at Layer 3.
Routers in OSI Protocol Stack
7 Application
6 Presentation
5 Session
4 Transport
3 Network
Routers
2 DataLink
Switches
1 Physical
Cabling,Hubs
Routers
Internet
Router
IP address
192.168.0.20
Subnet
255.255.255.0
Default router
192.168.0.254
62.49.147.169
192.168.1.10
62.49.147.170
Router
192.168.0.40
192.168.0.254
switch
192.168.1.11
switch
Routers
Internet
Router
IP datagram
Dest: 192.168.0.40
IP address
192.168.0.20
Subnet
255.255.255.0
Default router
192.168.0.254
62.49.147.169
192.168.1.10
62.49.147.170
Router
192.168.0.40
192.168.0.254
switch
192.168.1.254 192.168.1.11
switch
Routers
Internet
Router
IP datagram
Dest: 192.168.1.11
IP address
192.168.0.20
Subnet
255.255.255.0
Default router
192.168.0.254
62.49.147.169
192.168.1.10
62.49.147.170
Router
192.168.0.40
192.168.0.254
switch
192.168.1.254 192.168.1.11
switch
Routers
Internet
Router
IP datagram
Dest: 134.219.200.69
IP address
192.168.0.20
Subnet
255.255.255.0
Default router
192.168.0.254
62.49.147.169
192.168.1.10
62.49.147.170
Router
192.168.0.40
192.168.0.254
switch
192.168.1.254 192.168.1.11
switch
VLANs
> VLAN is a virtual LAN.
> Switch is configured to divide up
devices into VLANs.
> Device on one VLAN
can’t send to devices
on another VLAN.
switch
VLANs & Routers
> How to get from one VLAN to another?
> Connect them with a router.
Router
switch
Secure?
192.168.1.1
C
Layer 3…
Network 192.168.1.0
192.168.0.1
A
D
192.168.1.2
Network 192.168.0.0
B
192.168.0.2
Secure?
Layer 2…
B
C
A
switch
At Layer 3, the switch is “invisible”
At Layer 2, the switch becomes “visible”
D
TCP handshaking
> Each TCP connection begins with three
packets:
> A SYN packet from sender to receiver.
>“Can we talk?”
> An SYN/ACK packet from receiver to sender.
>“Fine – ready to start?”
> An ACK packet from sender to receiver.
>“OK, start”
TCP Handshaking
TCP Packet
SYN flag
192.168.0.20
IP datagram
Src: 192.168.0.20
Dest: 192.168.0.40
192.168.0.40
TCP Packet
SYN & ACK flag
IP datagram
Src: 192.168.0.40
Dest: 192.168.0.20
TCP Packet
ACK flag
IP datagram
Src: 192.168.0.20
Dest: 192.168.0.40
Tracking TCP handshakes
> The destination machine has to track
which machines it has sent a
“SYN+ACK” to
> Keeps a list of TCP SYN packets that
have had a SYN+ACK returned.
> When ACK is received, packet removed
from list as connection is open.
TCP Denial Of Service
> What if the sender doesn’t answer with an
ACK?
> A SYN packet from sender to receiver.
> “Can we talk?”
> An SYN/ACK packet from receiver to sender.
> “Fine – ready to start?”
> ………………..nothing…………..……
> If the sender sends 100 SYN packets per
second
> Eventually receiver runs out of room to track the
SYN+ACK replies
> SYN flooding.
IP Spoofing
> A machine can place any IP address in
the source address of an IP datagram.
> Disadvantage: Any reply packet will
return to the wrong place.
> Advantage (to an attacker): No-one
knows who sent the packet.
> If the sender sends 100 SYN packets
per second with spoofed source
addresses….
TCP Denial of Service
192.168.0.20
TCP Packet
TCP Packet
SYN
TCPflag
Packet
SYN
flag
TCP
SYN Packet
flag
SYN flag
IP datagram
datagram
Src:IPIP
62.49.10.1
datagram
Src:
62.49.10.1
IP
datagram
Dest:Src:
192.168.0.40
62.49.10.1
Dest:Src:
192.168.0.40
62.49.10.1
Dest: 192.168.0.40
Dest: 192.168.0.40
192.168.0.40
TCP Packet
Packet
SYNTCP
&
ACK
flag
TCP
Packet
SYN &
ACK
flag
Packet
SYNTCP
& ACK
flag
SYN & ACK flag
IP datagram
datagram
Src: IP
192.168.0.20
IP
datagram
Src:
192.168.0.20
IP
datagram
Dest:
62.49.10.1
Src:
192.168.0.20
Dest:
Src:62.49.10.1
192.168.0.20
Dest:
62.49.10.1
Dest: 62.49.10.1
TCP/IP Ports
> Many processes on a single machine may be
waiting for network traffic.
> When a packet arrives, how does the transport
layer know which process it is for?
> The port allows the transport layer to deliver
the packet to the application layer.
> Packets have source and destination port.
> Source port is used by receiver as destination of
replies.
Port Assignments
> Well known ports from 0 to 1023
> http=port 80
> smtp=port 25
> syslog=port 514
> telnet=23
> ssh=22
> ftp=21 + more…
> Registered ports from 1024 to 49151
> Dynamic or private ports from 49152 to
65535
Port Multiplexing
Host A
putty
Port
2077
ie
Host B
net
scape
Port 2076 Port
2078
Message
Transport Layer
telnet
apache
Port 23
Port 80
Transport Layer
Packet
Internet Layer
Internet Layer
Datagram
Network Layer
Network Layer
Frame
Physical Network
Ports in Action
192.168.0.20
HTTP message
GET index.html
www.localserver.org
HTTP message
Contents of
index.html
TCP Packet
Src Port: 2076
Dest Port: 80
TCP Packet
Src Port: 80
Dest Port: 2076
IP datagram
Src: 192.168.0.20
Dest: 192.168.0.40
IP datagram
Src: 192.168.0.40
Dest: 192.168.0.20
192.168.0.40
TELNET message
TELNET message
TCP Packet
Src Port: 2077
Dest Port: 23
TCP Packet
Src Port: 23
Dest Port: 2077
IP datagram
Src: 192.168.0.20
Dest: 192.168.0.40
IP datagram
Src: 192.168.0.40
Dest: 192.168.0.20
switch
Network Sniffers
> Network Interface Cards normally operating in
non-promiscuous mode.
> Only listen for frames with their MAC address
> A sniffer changes a NIC into promiscuous
mode.
> Reads frames regardless of MAC address.
> Many different sniffers
> tcpdump
> ethereal
> Snort
Sniffing legitimately
> Do they have legitimate uses?
> Yes … when used in an authorised and
controlled manner.
> Network analyzers or protocol analyzers.
> With complex networks, they are used for
fault investigation and performance
measurement.
> Useful when understanding how a COTS
product uses the network.
Detecting Sniffers
> Detecting an sniffing attack
> Very difficult, but sometimes possible
> Tough to check remotely whether a device
is sniffing. Approaches include:
> Sending large volumes of data, then sending
ICMP ping requests.
> Sending data to unused IP addresses and
watching for DNS requests for those IP addresses.
> Exploiting operating system quirks.
> AntiSniff, Security Software Technologies
Sniffer Safeguards
> Preventing attacks or limiting their
effects
> Basically a matter of network and system
design security
> Examples of safeguards are:
>Use of non-promiscuous interfaces.
>Encryption of network traffic.
>One-time passwords e.g. SecurId, skey.
>Lock MAC addresses to switch ports – not
effective.
Networks at the building level
> New Threats
> Backbone which connects LANs
> Interconnections between the LAN and the
backbone
> Control of information flow within a larger
network
> Network Management itself
Backbone
Human
Resources
Finance
Sales
Development
Network Backbone Threats 1
> Backbone carries all inter-LAN traffic
> Confidentiality
> All data could be eavesdropped
> Integrity
> Any errors could affect all the network
traffic
> Availability
> Loss of backbone means that workgroups
would be unable to communicate with each
other
Network Backbone Threats 2
> Overview of Threats
> Point of interconnection between workgroup
and backbone is a sensitive area
> From security viewpoint it:
>Provides a point of access to the backbone
>Provides a point of access to all the data
associated with a workgroup
>Damage at this point could affect both the
workgroup and the backbone
Network Management
> An overview
> Management of complex networks is a
difficult task
> Specialised tools are available (including HP
OpenView, IBM Netview, Cabletron
Spectrum, Sun NetManager)
Fault Handling
> Without network management, faults will:
> Disrupt network operation
> Require substantial effort to identify
> Require a long time to repair
> Network Management facilities combined with
intelligent devices allows:
> Faults to be handled / identified locally
> Alert messages to be raised and gathered centrally
> Appropriate actions to be taken
Further Integration
> Physical Network
> Cable Management Systems
> Actual device locations
> Servers and Workstations
> Servers disk space monitoring
> Printer status
LAN Safeguards - 1
> Partitioning
> With a building network there will be different types
of information being processed
> Some types of data will require extra protection e.g.
> Finance
> Personnel / Human Resources
> Internal Audit
> Divisional heads
> Two situations where extra controls are needed
> Physically separate group or team
> Widely distributed group of staff
LAN Safeguards - 2
> Partitioning
> Network configured so that:
>Group workstations cabled to their own switch
>Switches programmed to restrict data flow onto
the backbone
> Add a Firewall
>Control use of any network services
>Control systems that can be contacted
LAN Safeguards – 3
> Other Considerations
> If workgroup users are not located in a single area,
different measures must be adopted
> In most cases, addressing is used to control traffic
flow but does not prevent traffic being read in transit
> Higher level of security can be provided by
encryption, but:
> Does encryption mechanism understand the network
protocol?
> What is the performance impact of encryption?
> How are encryption keys generated, distributed, and
stored?
> Will a workstation on the encrypted workgroup be able
to communicate with an unencrypted server?
MAN
> Metropolitan Area Network
> New Environment
> A network which encompasses several
closely located buildings (sometimes also
called a campus network)
> Such expanded network environments bring
additional security concerns:
>Network exposed to outside world
>Problems of scale
MAN example
Building C
Building A
Building B
MAN - 2
> Exposure to outside world
> Network has left the security of the building
> Small scale may rule out encryption
> New risks must be assessed
>Private or public areas
> Investigate constraints on solution
>e.g. buried or elevated links
> May need non-physical links
>e.g. Laser, infra-red, microwave
MAN - 3
> Problem of scale
> Information flow must be controlled, and
faulty network components (in one building)
must not affect other buildings, so:
>Filters / bridges / firewalls will be needed
> Network Information Centre (NIC) is
required
> Normally a second level backbone is used
WAN - 1
> Wide Area Network
> National or International network
> Threats Become More Significant:
> Sensitive data (including passwords) much
more widely transmitted
> Switched network rather than point-to-point
> Change management errors
> Dark-room equipment sites
> Unauthorised access to network links
> Traffic flow monitoring (is this an issue?)
Global WAN
WAN - 2
> Impact of different media
> Fibre
>Minimal external radiation
>Special equipment required for tapping
>Normally a tap causes disruption of service
> Satellite, radio, or microwave
>Extensive external radiation
>Special (but easily available) equipment needed
for tapping
>Tapping does not disrupt services
>Carrier MIGHT provide some encryption
WAN - 3
> Partitioning Networks - Physical
Separation
> Provides good separation
> Conceptually easy to understand
> Legacy approach - in the days when
adequate logical separation was not
possible
>Still done in very secure networks
> Sharing data is difficult and uncontrolled
> Costly
WAN - 4
> Partitioning Networks - Logical
Separation
> Closed User Groups
>Multiple virtual networks on one physical one
>Based on network addresses
>Managed by the Network Management Centre
(NMC)
> PVCs (Permanent Virtual Circuits)
> Cryptography
WAN - 5
> Data Confidentiality
> Choice of physical media
> Network Partitioning
> Link Encryption (Layer 2)
> End-to-end Encryption (Layer 4)
> Key and equipment management issues
WAN - 6
> Link Encryption
> For individual links
> Protocol Independent
> Throughput is not normally an issue
> Moderate cost (£700-£1000 per unit)
> But Link Encryption for Larger Networks
> Is expensive
> Is a management burden
> Data is not protected inside switches
WAN – 7
> Conditions of Connection (COC)
> Very powerful tool for Network Services
Dept. when it does not have direct authority
> Details users’ responsibilities
>Responsible for security of their end systems
>Comply with COC’s standards
>Control access to end-systems and equipment
>Protect user-ids, passwords etc.
>Become security aware
>Support tests investigations etc .
> User management signs up to it before
getting the network service
Internet
> Internet connection prerequisite for most
corporations
> Web browsing, email, file transfer
> Increasingly used for business critical
applications
> Possible to replace expensive WAN link with
Internet VPN link
> Threats Become Critical
> Route of sensitive data not guaranteed
> Availability not guaranteed
> Denial of service attacks are real risk
> Any Internet host can probe any other host
> Plenty of malicious content (viruses, trojans,
pornography)
Internet Safeguards
> Firewalls to filter IP traffic
> DeMilitarized Zones to isolate Internetfacing machines from internal networks
> Content filters to filter email & web
traffic content
> VPNs to protect critical applications
> Vital to understand how applications
communicate, to understand whether
risk exists.
IS3-2: Network security
Part 2 - Network management
security
Outline
> The subject is divided into the
following:
> Introduction
> SNMP overview
> SNMP security
1 Introduction
> Network management protocols enable
on-line management of computers &
networks.
> They support:
> configuration management,
> accounting,
> event logging,
> help with problem diagnosis.
> They are application layer protocols.
Management security
> Two aspects of network management
security (as defined in ISO 7498-2):
> management of security - support provided
by network management protocols for
provision of security services, and
> security of management - means for
protecting network management
communications.
Internet SNMP overview
> The Simple Network Management
Protocol (SNMP) is part of the Internet
network management system.
> Version 1 (1990/91) is specified in RFCs
1155-1157, and 1212/1213.
> Version 2 (1993), with some security
features , is specified in RFCs 1441-1448.
> Version 3 (1999), with more complete
security features in RFCs 2570-2576
SNMP V1 Architecture
Central MIB
Manager
Agent
SNMP
SNMP
UDP
UDP
IP
IP
Network
Network
Physical Network
Agent MIB
Architectural model
> Model based on
> a network management station (a host
system running SNMP, with management
s/ware)
> many network elements (hosts, routers,
gateways, servers).
> Management agent at a network device
implements SNMP
> provides access to the Management
Information Base (MIB).
SNMP management
Management Station
Network
Elements
Connectionless Protocol
> Because V1 uses UDP, SNMP is a
connectionless protocol
> No guarantee that the management traffic
is received at the other entity
> Advantages :
>reduced overhead
>protocol simplicity
> Drawbacks :
>connection-oriented operations must be built into
upper-layer applications, if reliability and
accountability are needed
> V2 & V3 can use TCP.
SNMP Operations
> SNMP provides three simple operations :
> GET : Enables the management station to retrieve
object values from a managed station
> SET : Enables the management station to set object
values in a managed station
> TRAP : Enables a managed station to notify the
management station of significant events
> SNMP allows multiple accesses with a single
operation
SNMP Protocol Data Units
> Get Request : Used to obtain object values
from an agent
> Get-Next Request : Similar to the Get
Request, except it permits the retrieving of the
next object instance (in lexicographical order)
in the MIB tree
> Set Request : Used to change object values at
an agent
> Response : Responds to the Get Request, GetNext Request and Set Request PDUs
> Trap : Enables an agent to report an event to
the management station (no response from
the manager entity)
SNMP Port Numbers
> The UDP port numbers used for SNMP
are :
161 (Requests) and 162 (Traps)
> Manager behaviour :
> listens for agent traps on local port 162
> sends requests to port 161 of remote agent
> Agent behaviour :
> listens for manager requests on local port
161
> sends traps to port 162 of remote manager
SNMP messages
192.168.0.254
192.168.0.40
SNMP message
GET-REQUEST
UDP datagram
Src Port: 3042
Dest Port: 161
IP datagram
Src: 192.168.0.20
Dest: 192.168.0.254
SNMP message
GET-REQUEST reply
UDP datagram
Src Port: 161
Dest Port: 3042
IP datagram
Src: 192.168.0.254
Dest: 192.168.0.20
192.168.1.254
192.168.2.254
192.168.254.254
SNMP Message Format
> All V1 SNMP PDUs are built in the same way :
Version
Community
SNMP PDU
> Community - local concept, defined at each
device
> SNMP community = set of SNMP managers
allowed to access to this device
> Each community is defined using a unique
(within the device) name
> Each manager must indicate the name of the
community it belongs in all get and set
operations.
Trap Examples
> Cisco router traps
> authentication
> device is the addressee of an SNMP protocol message
that is not properly authenticated. (SNMPv1 - incorrect
community string)
> linkup
> device recognizes that one of the communication links
represented in the agent's configuration has come up.
> linkdown
> device recognizes a failure in one of the communication
links represented in the agent's configuration.
> coldstart
> device is reinitializing itself so that the configuration
may be altered.
> warmstart
> device is reinitializing itself, but the configuration will
not be altered.
Base SNMP Security Mechanisms
> The basic SNMP Version 1 standard
provides only trivial security
mechanisms, based on:
> Authentication Mechanism
> Access mode Mechanism
Authentication Mechanism
> Authentication Service: assure the destination
that the SNMP message comes from the
source from which it claims to be
> Based on community name, included in every
SNMP message from a management station to
a device
> This name functions as a password : the
message is assumed to be authentic if the
sender knows the password
> No encryption of the community name
SNMP V1 Key Vulnerability
> If an attacker can view the community
string
> They can masquerade as a member of the
community by including the community
string in SNMP messages.
> The attacker may be able to manage any
agent that shares that community string.
Access Mode Mechanism
> Based on community profiles
> A community profile consists of the
combination of :
> a defined subset of MIB objects (MIB view)
> an access mode for those objects (READONLY or READ-WRITE)
> A community profile is associated to
each community defined by an agent
Security threats
> Two primary threats:
> data modification - to an SNMP message,
> masquerade - impersonator might send
false SNMP messages.
> Two secondary threats:
> message stream modification - reordering,
replay and/or delay of SNMP messages,
> eavesdropping - on SNMP messages.
Security services
> Identified security services to meet
threats:
>
>
>
>
>
data origin authentication,
data integrity,
message sequence integrity,
data confidentiality,
message timeliness & limited replay
protection
User-based Security Model
> A User, identified by UserName holds:
> Secret keys
> Other security information such as
cryptographic algorithms to be used.
> SNMP V3 entities are identified by
snmpEngineID.
> Each managed device or management
station has an snmpEngineID
Authoritative SNMP entities
> Whenever a message is sent, one entity
is authoritative.
> For get or set, receiver is authoritative.
> For trap, response or report, sender is
authoritative.
> Authoritative entity has:
> Localised keys
> Timeliness indicators
Timeliness Indicators
> Prevent replay of messages.
> Each authoritative entity maintains a
clock.
> A non-authoritative entity has to
retrieve the time from the authoritative
entity, confirm the received value, then
maintain a synchronised clock.
> Messages can arrive within 150 seconds
of their generated time.
Keys
> Keys generated from user password.
> User provides password to all entities.
> Each entity generates a key from the
password and generates two further
keys using the entities snmpEngineID.
> One for authentication
> One for confidentiality
Data Integrity and Authenticity
> Generate a cryptographic “fingerprint” of any
message to be protected.
> Send the “fingerprint” with the message.
> Derive two temporary keys K2, K3 from localized
user key K1.
> Compute T = Hash(K3 | SNMP Msg)
> Compute M = Hash(K2 | T)
> First 96 bits of M are the MAC (Message
Authentication Code)
> Must support HMAC-MD5-96, may support
HMAC-SHA-96
Data Confidentiality
> DES in Cipher Block Chaining mode.
> Second localised key.
> Has to be used together with Data
Integrity and Authenticity.
Management of SNMP security
> Following data needs to be managed:
> secret (authentication and privacy) keys,
> clock synchronisation (for replay detection),
> SNMP party information.
> SNMP can be used to provide key
management and clock synchronisation.
> After manually setting up some SNMP
parties, rest can be managed using
SNMP.